0

I did a vulnerability scan on some of our company workstations. These are workstations used by employees (dev, HR, accounting, etc.) to do their job. One of the common result I found is SSL/TLS Certificate Signed Using Weak Hashing Algorithm. Based on the vulnerability description "An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service." I'm thinking this is more on a server side.

My question is, what could be the impact of this in an ordinary workstation?
What can an attacker/pentester do to the workstation with this vulnerability?

Finn
  • 13
  • 5

1 Answers1

0

Background for context:

Digital certificates bind trusted identity information to a public/private key pair.

The identity information is trusted because the certificate is cryptographically signed by a trusted Certificate Authority (CA).

There's an excellent explanation of the hashing and signature process in this answer.

Answer:

In short, an attacker could create a trusted copy of the workstation certificate and use it to impersonate the workstation. The impact of this is dependant on the role of the workstation and its certificate in your network. However, this vulnerability is very expensive to exploit and it's unlikely any attacker would attempt to do so.

An attacker could generate their own key pair (meaning that they control the private key) and subsequently a certificate associating any identity information they like with the key pair. Under normal circumstances, it would be easy to verify that the trusted CA hasn't signed the certificate by comparing hashes - thus the certificate would be invalid and untrusted.

However, where the hashing algorithm is weak, it is technically possible for an attacker to create a fake certificate with a hash that matches that of a genuine certificate, resulting in the fake certificate being trusted.

This has been achieved with certificates using the MD5 hashing algorithm.

There is a good write-up from Cloudflare on this here

The Cloudflare article is a little old and SHA-1 collision attacks are now real, but fortunately only apply when certificate serial numbers are predictable.

I say technically above, because certificate attacks cost tens of thousands of dollars:

By renting a GPU cluster online, the entire chosen-prefix collision attack on SHA-1 costed us about 75k USD. However, at the time of computation, our implementation was not optimal and we lost some time (because research). Besides, computation prices went further down since then, so we estimate that our attack costs today about 45k USD. As computation costs continue to decrease rapidly, we evaluate that it should cost less than 10k USD to generate a chosen-prefix collision attack on SHA-1 by 2025.

If you're prioritising vulnerabilities for remediation, this one should be near the bottom of the list from a practical risk perspective. The reality though, is that weak hashing algorithms on certificates have got quite a lot of press and many people overlook the difficulties of real-world exploitation, so it may be beneficial to replace the certificate with a SHA-256 or above equivalent from a perception of risk perspective.

Unencoded
  • 201
  • 1
  • 7